Smartphone fingerprint scanners are still not secure enough

Android just can’t seem to get a break lately. After the really frightening Stagefright bug and then a slightly related vulnerability exposed by security firm Trend Micro, another component is being branded as insecure. Granted, it’s not a widespread malady this time as only Android smartphones with fingerprint sensors are affected. Tao Wei and Yulong Zhang, both researchers from FireEye, are singling out the Samsung Galaxy S5 and HTC One Max as the most vulnerable examples of this case at the Black Hat security conference this week.

This report isn’t actually new. In April, FireEye already brought the issue to Samsung’s and the public’s attention. It detailed how hackers can silently gather fingerprint data from the device with owners being none the wiser. Although a lot of promises and actions may have been made since that day, the overall situation may have not changed at all.

The researchers now expand their list to include smartphones from Huawei and HTC that bear such sensors. That dose limit the reach of the vulnerability but doesn’t mitigate the effects. Hackers need not even gain access to secure areas of the device’s memory, only the fingerprint sensor is enough. Once obtained, that fingerprint information can be used in other non-mobile situations, like identification.

The problem, according to FireEye’s researchers, is that vendors that ship with fingerprint sensors don’t lock them down well enough. Gaining access to the sensor isn’t exactly difficult. With fingerprints becoming a favorite biometric security feature these days, one would expect some level of vigilance on the part of manufacturers. To be fair to Samsung and HTC and smarthphones in general, they aren’t the only ones. FireEye also notes that even laptops with such sensors can be open to attack. In contrast, the researchers cite Apple as the prime example of how to do it right. On the iPhone, fingerprint data from the sensor is encrypted, making it useless even if hackers are able to directly read data from the sensors.

FireEye’s April vulnerability expose was supposedly already fixed on Android 5.0 and later. In fact, both the Galaxy S5 and the One Max, by default, run on older Android versions. The researchers make no mention of the specifics of Android versions. They don’t also include the Galaxy S6, a more recent model that does also have a fingerprint sensor installed.